Privacy Policy

Last updated: March 24, 2026

Cardeau Inc. (“Cardeau,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our digital gift card platform, including our website, embeddable widget, merchant dashboard, and related services (collectively, the “Service”). By using the Service, you consent to the practices described in this policy.

1. Information We Collect

Information You Provide

Account information: Name, email address, phone number, and business details (for Merchants).
Purchase information: Gift card recipient name, recipient email, personal message, delivery preferences, and selected amount.
Payment information: Payment details are collected and processed directly by Stripe. Cardeau does not store your credit card number, CVV, or full payment account details on our servers.

Information Collected Automatically

Device information: Browser type, operating system, device type, and screen resolution.
Usage data: Pages visited, actions taken, time spent on the Service, and referring URLs.
IP address: Used for fraud prevention, security, and approximate geographic location (country/province level only).

2. How We Use Your Information

We use the information we collect for the following purposes:

Process transactions: To facilitate gift card purchases, process payments via Stripe, and manage gift card balances and redemptions.
Deliver gift cards: To send gift card delivery emails, SMS notifications, and Apple/Google Wallet passes to recipients.
Send receipts and confirmations: To provide purchase receipts, order confirmations, and balance reminders.
Provide the Service: To operate, maintain, and improve the Cardeau platform, including the merchant dashboard and analytics.
Security and fraud prevention: To detect and prevent fraudulent transactions, unauthorized access, and other security threats.
Analytics: To understand how the Service is used and to improve the user experience (aggregated, non-personally identifiable data).
Legal compliance: To comply with applicable laws, regulations, and legal processes.

3. Information Sharing

We do not sell, rent, or trade your personal information to third parties. We share information only in the following circumstances:

With Merchants:When you purchase a gift card, the issuing Merchant receives your name and email address (or the recipient’s) to facilitate delivery and redemption. Merchants are contractually required to handle this information in accordance with applicable privacy laws.
With Stripe:Payment information is shared with Stripe to process transactions. Stripe’s handling of your data is governed by their Privacy Policy.
With Twilio: Phone numbers are shared with Twilio for SMS delivery of gift cards and OTP verification. Twilio processes data in the United States; this is documented here as the data transferred is minimal (phone number only).
Legal requirements: We may disclose information when required by law, legal process, or government request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

4. Data Residency

All personal data collected through the Cardeau platform is stored and processed exclusively in Canadian data centres. Our databases, caches, object storage, and application servers are all hosted within Canada.

We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and all applicable provincial privacy legislation. Personal data is not transferred outside of Canada except as specifically noted (e.g., Twilio SMS delivery), and such transfers involve minimal data and are disclosed in this policy.

5. Quebec Law 25 / Bill 64

For residents of Quebec and Merchants operating in Quebec, Cardeau complies with Quebec’s Act respecting the protection of personal information in the private sector, as amended by Bill 64 (Law 25). This includes:

Privacy Impact Assessments (PIA): We conduct privacy impact assessments before implementing any new system or feature that processes personal information.
Explicit consent: We obtain explicit, granular consent before collecting personal information, clearly explaining the purpose of collection at the time of consent.
72-hour breach notification:In the event of a privacy breach presenting a risk of serious harm, we will notify the Commission d’accès à l’information (CAI) and affected individuals within 72 hours.
Right to data portability: Quebec residents may request a copy of their personal information in a structured, commonly used, and machine-readable format.
Designated Privacy Officer: Cardeau has designated a Privacy Officer responsible for overseeing compliance with privacy legislation. You may contact our Privacy Officer at [email protected].

6. Cookies & Tracking

Cardeau uses minimal cookies that are strictly necessary for the operation of the Service:

Session cookies: To maintain your session while using the Service (e.g., logged-in state for Merchants).
Security cookies: To prevent cross-site request forgery (CSRF) and other security threats.
Preference cookies: To remember your language preference (English/French).

We do not use third-party tracking cookies, advertising cookies, or analytics cookies that track you across other websites. We do not participate in ad networks or sell browsing data.

7. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes described in this policy, or as required by law:

Transaction records: Retained for a minimum of seven (7) years as required by Canadian tax law and provincial consumer protection regulations.
Gift card records: Retained indefinitely as gift cards do not expire under Canadian law and must remain redeemable.
Account information: Retained while your account is active. You may request deletion of your account and associated personal data at any time, subject to legal retention requirements.
Consent records: Records of consent (including timestamp and IP address) are retained for the duration required by CASL (minimum 3 years after consent is withdrawn).

8. Your Rights

Under PIPEDA and applicable provincial privacy legislation, you have the following rights regarding your personal information:

Access: You may request access to the personal information we hold about you.
Correction: You may request that we correct inaccurate or incomplete personal information.
Deletion: You may request deletion of your personal information, subject to legal retention requirements and our obligation to maintain gift card records.
Portability: You may request a copy of your personal information in a structured, machine-readable format (particularly for Quebec residents under Law 25).
Withdraw consent: You may withdraw consent for the collection, use, or disclosure of your personal information at any time. Note that withdrawing consent may affect our ability to provide certain services.

To exercise any of these rights, contact us at [email protected]. We will respond to requests within 30 days, or within the timeframe required by applicable law.

9. Children’s Privacy

The Cardeau Service is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected personal information from a child under 13, we will take steps to delete that information as soon as practicable. If you believe we have collected information from a child under 13, please contact us at [email protected].

10. Security

We implement industry-standard security measures to protect your personal information:

Encryption: All data in transit is protected with TLS 1.2 or higher. Sensitive data at rest is encrypted using AES-256.
PCI compliance: Cardeau maintains SAQ-A PCI DSS compliance. All payment card data is handled exclusively by Stripe and never touches our servers.
Infrastructure security: Canadian-hosted servers with firewalls, intrusion detection, regular security audits, and automated vulnerability scanning.
Access controls: Strict role-based access controls, multi-factor authentication for internal systems, and principle of least privilege.

While we strive to protect your information, no method of transmission or storage is 100% secure. We encourage you to use strong passwords and protect your account credentials.

11. CASL Compliance

Cardeau complies with Canada’s Anti-Spam Legislation (CASL) regarding electronic communications:

Express consent: Required for all marketing and promotional emails. Consent is obtained through clear, affirmative opt-in (not pre-checked boxes).
Implied consent: Relied upon for transactional communications related to active purchases (e.g., balance reminders within 2 years of purchase).
Transactional emails: Gift card deliveries, receipts, and order confirmations are exempt from consent requirements under CASL.
Unsubscribe: Every commercial email includes a one-click unsubscribe mechanism. Unsubscribe requests are processed within 10 business days.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will update the “Last updated” date at the top of this page and notify affected users via email or through the Service. We encourage you to review this policy periodically. Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.

13. Contact — Privacy Officer

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information, please contact our Privacy Officer:

Privacy Officer, Cardeau Inc.

Toronto, ON, Canada

Email: [email protected]

You also have the right to file a complaint with the Office of the Privacy Commissioner of Canada or, for Quebec residents, the Commission d’accès à l’information du Québec.

Terms & Conditions Privacy Policy FAQ Merchant Agreement User Manual